Abnormal Security Data Privacy Framework Notice

Abnormal is responsible for personal data that we receive under the Data Privacy Framework, including where it transfers such personal data to a third party acting as our agent. Abnormal complies with the DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions, unless Abnormal proves that it is not responsible for the event giving rise to damage. Please be aware that we may be required to disclose personal data that we receive under the DPF in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. The Federal Trade Commission has jurisdiction over Abnormal’s compliance with the Data Privacy Framework. Your Choices and Rights We offer you choices regarding the collection, use, and sharing of your personal information and we will respect the choices you make in accordance with applicable law. You may choose (opt-out) whether your personal information is (i) disclosed with a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized. You may indicate your choice by clicking through the appropriate dialogue box to opt-out or by emailing us at privacy@abnormalsecurity.com. Please note that if you decide not to provide us with certain personal information, you may not be able to access certain features of the Abnormal websites and applications that link to this Privacy Notice (“Sites”) or use our cloud-based cybersecurity platform (the “Service”). Account Information If you are a User of the Service you may correct, update, or delete your account information, please log on to your Abnormal account and update your profile. Opt out of marketing We may periodically send you marketing communications that promote our products and services consistent with your choices. YOU MAY OPT OUT FROM RECEIVING SUCH COMMUNICATIONS BY FOLLOWING THE UNSUBSCRIBE INSTRUCTIONS IN THE COMMUNICATION YOU RECEIVE OR EMAIL US AT PRIVACY@ABNORMALSECURITY.COM. Please note that we may still send you important service-related communications regarding our products or services, such as communications about your subscription or account, service announcements, or security information. Your privacy rights Depending upon your place of residence, you may have rights in relation to your personal information. Please review the jurisdiction-specific sections below, including the disclosures for California residents. Depending on applicable data protection laws, those rights may include asking us to provide certain information about our collection and processing of your personal information or requesting access, correction, or deletion of your personal information. You also have the right to withdraw your consent, to the extent we rely on consent to process your personal information. If you wish to exercise any of your rights under applicable data protection laws, email us at privacy@abnormalsecurity.com. We will respond to requests that we receive in accordance with applicable laws. Abnormal may take certain steps to verify your request using information available to us, such as your email address or other information associated with your Abnormal account, and if needed we may ask you to provide additional information for the purposes of verifying your request. Any information you provide to us for verification purposes will only be used to process and maintain a record of your request. As described above, we may also process personal information that has been submitted by a Customer to our Service. If your personal information has been submitted to the Service by or on behalf of a Customer and you wish to exercise your privacy rights, please direct your request to the relevant Customer. For other inquiries, please contact us at privacy@abnormalsecurity.com. Additional Information for Certain Jurisdictions This section provides additional information about our privacy practices for certain jurisdictions. California If you are a California resident, the California Consumer Privacy Act (“CCPA”) requires us to provide you with additional information regarding your rights with respect to your “personal information.” You may make the following types of requests under the CCPA with respect to personal information that we process on your behalf. Note: if you wish to make a CCPA request with respect to Personal Information submitted through or otherwise made available to the Service, please direct your request to the relevant Customer directly, as that data is governed by the terms of our agreement with our Customer. Request to Know, Correct, and Delete: You may request

• Access to a copy of the specific pieces of personal information that we have collected about you;
• Correction of personal information that we maintain about you, if it is inaccurate; and/or
• Deletion of personal information, subject to certain exceptions.

Requests to Opt-Out of Sale or Sharing: You may also opt out of the “sale” or “sharing” of your personal information, as “sale” and “sharing” are defined under CCPA. You may opt-out of the “sale” or “sharing” of personal information as described in the “Opt out of marketing” section of this Privacy Notice. Other US States Depending on applicable laws in your state of residence, you may request to: (1) confirm whether or not we process your personal information; (2) access, correct, or delete personal information we maintain about you; (3) receive a portable copy of such personal information; and/or (4) restrict or opt out of certain processing of your personal information, such as targeted advertising, or profiling in furtherance of decisions that produce legal or similar significant effects. If we refuse to take action on a request, we will provide instructions on how you may appeal the decision. We will respond to requests consistent with applicable law. European Economic Area, UK and Switzerland If you are located in the European Economic Area, United Kingdom or Switzerland, the controller of your personal information is Abnormal Security Corporation, 185 Clara Street, Suite 100, San Francisco, CA 94107 United States. We collect your personal information if we have a legal basis for doing so. The legal basis that we rely on depends on the personal information concerned and the specific context in which we collect it. Generally, we collect and process your personal information where:

• We need it to enter into or perform a contract with you, such as to provide you with the Service, respond to your request, or provide you with customer support;
• We need to process your personal information to comply with a legal obligation (such as to comply with applicable legal, tax and accounting requirements) or to protect the vital interests of you or other individuals;
• You give us consent, such as to receive certain marketing communications; or
• Where we have a legitimate interest, such as to respond to your requests and inquiries, to ensure the security of the Sites and Service, to detect and prevent fraud, to maintain, customize and improve the Sites and Service, to promote Abnormal and our Service, and to defend our interests and rights.

If you have consented to our use of your personal information for a specific purpose, you have the right to change your mind at any time but this will not affect our processing of your information that has already taken place. You also have the following rights with respect to your personal information:

• The right to access, correct, update, or request deletion of your personal information;
• The right to object to the processing of your personal information;
• The right to withdraw your personal information at any time, if we collected and processed your personal information with your consent; and
• The right to lodge a complaint with your national data protection authority or equivalent regulatory body.

If you wish to exercise any of your rights under data protection laws, please contact us as described under “Your Choices and Rights”.